335584f502
CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) CVE-2017-7493: 9pfs: guest privilege escalation in virtfs mapped-file mode (bz #1451711) CVE-2017-9503: megasas: null pointer dereference while processing megasas command (bz #1459478) CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497) CVE-2017-9524: nbd: segfault due to client non-negotiation (bz #1460172) CVE-2017-10664: qemu-nbd: server breaks with SIGPIPE upon client abort (bz #1466192)
38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
Date: Thu, 1 Jun 2017 17:18:57 +0200
|
|
Subject: [PATCH] megasas: do not read iovec count more than once from frame
|
|
|
|
Avoid TOC-TOU bugs depending on how the compiler behaves.
|
|
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
(cherry picked from commit 24c0c77af515acbf0f9705e8096f33ef24d37430)
|
|
---
|
|
hw/scsi/megasas.c | 9 +++++----
|
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
index 1888118e5f..c353118882 100644
|
|
--- a/hw/scsi/megasas.c
|
|
+++ b/hw/scsi/megasas.c
|
|
@@ -675,15 +675,16 @@ out:
|
|
static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
|
{
|
|
dma_addr_t iov_pa, iov_size;
|
|
+ int iov_count;
|
|
|
|
cmd->flags = le16_to_cpu(cmd->frame->header.flags);
|
|
- if (!cmd->frame->header.sge_count) {
|
|
+ iov_count = cmd->frame->header.sge_count;
|
|
+ if (!iov_count) {
|
|
trace_megasas_dcmd_zero_sge(cmd->index);
|
|
cmd->iov_size = 0;
|
|
return 0;
|
|
- } else if (cmd->frame->header.sge_count > 1) {
|
|
- trace_megasas_dcmd_invalid_sge(cmd->index,
|
|
- cmd->frame->header.sge_count);
|
|
+ } else if (iov_count > 1) {
|
|
+ trace_megasas_dcmd_invalid_sge(cmd->index, iov_count);
|
|
cmd->iov_size = 0;
|
|
return -EINVAL;
|
|
}
|